diff --git a/config/arachnide/configuration.nix b/config/arachnide/configuration.nix index 89c9b86..916d33a 100644 --- a/config/arachnide/configuration.nix +++ b/config/arachnide/configuration.nix @@ -7,6 +7,7 @@ /var/src/modules/nixin.nix /var/src/modules/users.nix /var/src/modules/wireguard-client.nix + /var/src/modules/reverse-proxy.nix ]; # Bootloader. diff --git a/modules/reverse-proxy.nix b/modules/reverse-proxy.nix new file mode 100644 index 0000000..be5805d --- /dev/null +++ b/modules/reverse-proxy.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +let + localCertificationDirectory = config.security.localCertification.directory; +in +{ + # Enable Traefik + services.traefik.enable = true; + + # Let Traefik interact with Docker + services.traefik.group = "docker"; + + virtualisation.docker.enable = true; + + virtualisation.oci-containers = { + backend = "docker"; + }; + + # Traefik static configuration options + services.traefik.staticConfigOptions = { + api.dashboard = true; + api.insecure = false; + + # Enable logs + #log.filePath = "/var/log/traefik/traefik.log"; + log = { + level = "INFO"; + filePath = "${config.services.traefik.dataDir}/traefik.log"; + format = "json"; + }; + accessLog.filePath = "/var/log/traefik/accessLog.log"; + + # Enable Docker provider + providers.docker = { + endpoint = "unix:///run/docker.sock"; + watch = true; + exposedByDefault = false; + }; + + # Configure entrypoints, i.e the ports + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { + address = ":443"; + asDefault = true; + http.tls.certResolver = "acme-challenge"; + }; + }; + + # Configure certification + certificatesResolvers.acme-challenge.acme = { + email = "contact@distrilab.fr"; + storage = "${config.services.traefik.dataDir}/acme.json"; + httpChallenge.entryPoint = "web"; + }; + + }; + + # Whitelist middleware to limit access to the wireguard network + services.traefik.dynamicConfigOptions.http.middlewares.wg-whitelist.ipwhitelist = { + sourceRange = [ "192.168.12.0/24" ]; + }; + + # Dashboard + services.traefik.dynamicConfigOptions.http.routers.dashboard = { + rule = lib.mkDefault "Host(`traefik.lab12.fr`)"; + service = "api@internal"; + # restrict access to the dashboard + middlewares = [ "wg-whitelist" ]; + entryPoints = [ "websecure" ]; + }; + + + # Example proxy for a local service listening on port 8012 + services.traefik.dynamicConfigOptions.http.services."example.lab12.fr" = { + loadBalancer.servers = [ + { url = "http://127.0.0.1:8012"; } + ]; + }; + + # Example docker service with traefik proxy enabled through labels + virtualisation.oci-containers.containers.whoami = { + autoStart = true; + image = "jwilder/whoami"; + extraOptions = [ + "--label=traefik.enable=true" + "--label=traefik.http.routers.whoami.entrypoints=websecure" + "--label=traefik.http.routers.whoami.rule=Host(`whoami.lab12.fr`)" + "--label=traefik.http.routers.whoami.tls=true" + "--label=traefik.http.services.whoami.loadbalancer.server.port=8000" + "--label=traefik.http.routers.whoami.tls.certresolver=acme-challenge" + ]; + }; + +}